SecurityTrails Blog · Sep 07 · by Esteban Borges

Introducing the Palo Alto Networks Cortex XSOAR + Attack Surface Intelligence Integration

Reading time: 4 minutes
Listen to this article

We are super excited to announce the immediate availability of our Palo Alto Cortex XSOAR + Attack Surface Intelligence integration.

Thanks to the recent introduction of the Risk Rules API, the new Cortex XSOAR integration allows you to quickly identify critical risks on your infrastructure, and get alerts on the Cortex XSOAR platform.

Cortex XSOAR is one of the top leading security orchestration, automation and response (SOAR) platforms available, a valuable tool that helps security teams manage, automate and collaborate, to leverage threat intelligence so security teams can improve their incident management.

Benefits your security team gets when using this integration:

  • Visualizing the most critical risks within your organization
  • Automating security-policy enforcement in critical systems
  • Improving your incident response times
  • Staying on top of M&A risks
  • Seeing the full context of the security incidents
  • Effectively reducing your attack surface

How does it work?

Let’s take a look at the installation, and how to use this integration.


  • Log in to your Cortex XSOAR admin interface
  • On the left menu, go to MarketPlace
  • Search for “Recorded Future”, and you’ll see ‘Recorded Future Attack Surface Intelligence’ or ‘Recorded Future ASI’, click on it
Cortex XSOAR admin interface
  • On the top right corner, click on “Install”
Instal ASI


The Recorded Future Attack Surface Intelligence integration with Cortex XSOAR works by linking your current Attack Surface Intelligence project, within the Cortex XSOAR interface.

To set this up within your Cortex XSOAR environment:

  1. Go to Settings -> Integrations -> Instances
Cortex XSOAR environment setup Cortex XSOAR environment setup
  1. Search for the Recorded Future Attack Surface Intelligence Pack, and select Add Instance:
Recorded Future Attack Surface Intelligence Pack
  1. Select a name for the instance (choosing something that includes the Attack Surface Intelligence Project Title can be helpful)

  2. Enter configuration:

    • Enter the Project ID
    • Enter an API Key that has access to the above Project ID
    Project ID and API key
  3. Configure the Pack to Fetch incidents and set up any optional mappings and Incident Types

Fetch incidents
  1. Set the fetch interval to match the frequency in which your Attack Surface Intelligence Project gets a snapshot (the suggested XSOAR Pack frequency is 1 day)
Set the fetch interval
  1. Click the Test button to make sure the API Key and Project ID are set up correctly
Click the Test button
  1. Click Save & Exit

  2. Incidents should immediately populate in your XSOAR instance for each rule that you see in SurfaceBrowser™.
Incidents list
  1. Clicking the Fetch History icon next to the new Pack instance will show you details of each time the Pack runs
Fetch History Fetch History

Analyzing the results

Now that the project is up and running in your Cortex XSOAR platform, let’s see what we can find.

After clicking on the Incidents link on the left menu, you’ll land on a page showing all the current incidents found in the past X days (7 days, 30 days, you name it).

Analyzing the results

On that interface, you’ll be able to find incidents filtered by Severity (Critical, Medium, and Low) as well as the complete list of incidents, along with their ID, Name, Type, Status, and Owner, among other details.

incidents filtered by Severity

This page allows you to quickly identify the most critical issues and jump right into them, as shown in the above screenshot. Once you click on the ID, it will take you to the particular incident you want to investigate, reporting all the available details, including Indicators, Timeline information, Investigation Data, and much more.


The Recorded Future Attack Surface Intelligence integration with Cortex XSOAR is here to make your life easier, enabling security teams to gain access to the right incident information from our Attack Surface Intelligence Risk Rules in a handy way.

Download the integration from the XSOAR Marketplace—and if you are not yet using Attack Surface Intelligence, book your demo today!

Esteban Borges Blog Author

Esteban is a seasoned cybersecurity specialist, and marketing manager with nearly 20 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.

Subscribe to the SecurityTrails newsletter
Sign up for our newsletter today!

Get the best cybersec research, news, tools,
and interviews with industry leaders